Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3451609pxk; Mon, 21 Sep 2020 14:11:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwNmN6TPVVpBAeY5w5BZae88ehJtATnqP3+onUN5H+TKgE/P1J9W0sTsNmsM6v96W1ckWf/ X-Received: by 2002:a17:906:4a07:: with SMTP id w7mr1460740eju.366.1600722675551; Mon, 21 Sep 2020 14:11:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600722675; cv=none; d=google.com; s=arc-20160816; b=rhZcIyF5ZtfJJrj9HwNi3wjn9BhMfpI7dKHy2hVoVA+zVZJ06q841ST9ffZCjQav5Y Ja2i2E5o5KhhOGy1LtwmSztBr/Seg8jlSH+HKnEIM3nSZmH8I/AGCArcWXwRQQMgWyRW 2Yq+bqL606EGZcFuAoZvCNIjXy9iRsECH8xWGhvLR2ayWOcnab2cDGj0SZa0/rcZ+fIN EiovBFQlotEJjYaq81c/7XHkMp/0QB5BkTWzXfhyCTgFKdAu4fthy/i5v2H6wlGKwsB2 zPU+DsPlSPQIjKQArpssqcbYbEhIgeWZWkMHOisqHMAlON9y8FpbTjDzGrAu9LMZrw1i VeoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:organization:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :ironport-sdr:ironport-sdr; bh=ammQrDHRDA3znjiSBeBGJn5Eb//DuadHKiIcvBAl8tc=; b=hvGPhNq2607fd/Dk8MIuoSjZBGKSFu7qr9q2/i8g6ViMBc/zjKR0jE7W1y5nBaQmVg RRcGrtIGC1i+4beE4FSSU+UbvcFq6UDDndZv217tgicRoTRcniTqPS3gz/pcLdjSmmk8 J4my35RVtxxH+FxdCs3tXW5Q6mzyeAJ0Txb34jFgEqHwJGC6u1HzTNd9kOnUllXwbyTX QuDr3Pf/aU7hmitCBcX/qBwVaSWpvOwxnXg2ffeJ2ns1ft2762SOvjS7hIEe1OM9DzN2 25BHjssuD8LMBykPDAAtfM3ZHZdkU1clpMjXCZ3a5fJ+8OT4Ai77Ah70ej8xOxiig3II EB8w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r7si9046510ejy.514.2020.09.21.14.10.52; Mon, 21 Sep 2020 14:11:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726796AbgIUVHq (ORCPT + 99 others); Mon, 21 Sep 2020 17:07:46 -0400 Received: from mga12.intel.com ([192.55.52.136]:24800 "EHLO mga12.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726441AbgIUVHq (ORCPT ); Mon, 21 Sep 2020 17:07:46 -0400 IronPort-SDR: /rjg3tyco10PAXPI5GY/M5pKCq3ic3yszBtSfL1bmGMrpXdl9vdxj5gCYUwcgt6ZlExQL+rn6p vv/ruLn5MQCg== X-IronPort-AV: E=McAfee;i="6000,8403,9751"; a="139964485" X-IronPort-AV: E=Sophos;i="5.77,288,1596524400"; d="scan'208";a="139964485" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Sep 2020 14:07:45 -0700 IronPort-SDR: wNwnTNAM5ERduoiu28YwFRd0UBOnm3SIUU5AD4goCxAsx3sByaFOizwkhBI1qP/CQGQq0rFEag 1T4MmGFQFDJA== X-IronPort-AV: E=Sophos;i="5.77,288,1596524400"; d="scan'208";a="485667937" Received: from kofels-mobl.ger.corp.intel.com (HELO localhost) ([10.249.45.179]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Sep 2020 14:07:38 -0700 Date: Tue, 22 Sep 2020 00:07:36 +0300 From: Jarkko Sakkinen To: Sean Christopherson Cc: Andy Lutomirski , X86 ML , linux-sgx@vger.kernel.org, LKML , Linux-MM , Andrew Morton , Matthew Wilcox , Jethro Beekman , Darren Kenny , Andy Shevchenko , asapek@google.com, Borislav Petkov , "Xing, Cedric" , chenalexchen@google.com, Conrad Parker , cyhanish@google.com, Dave Hansen , "Huang, Haitao" , Josh Triplett , "Huang, Kai" , "Svahn, Kai" , Keith Moyer , Christian Ludloff , Neil Horman , Nathaniel McCallum , Patrick Uiterwijk , David Rientjes , Thomas Gleixner , yaozhangx@google.com Subject: Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect() Message-ID: <20200921210736.GB58176@linux.intel.com> References: <20200915112842.897265-1-jarkko.sakkinen@linux.intel.com> <20200915112842.897265-11-jarkko.sakkinen@linux.intel.com> <20200918235337.GA21189@sjchrist-ice> <20200921124946.GF6038@linux.intel.com> <20200921165758.GA24156@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200921165758.GA24156@linux.intel.com> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 21, 2020 at 09:57:58AM -0700, Sean Christopherson wrote: > On Mon, Sep 21, 2020 at 03:49:46PM +0300, Jarkko Sakkinen wrote: > > On Fri, Sep 18, 2020 at 04:53:37PM -0700, Sean Christopherson wrote: > > > a noexec filesystem by loading code into an enclave, and to give the kernel the > > > option of adding enclave specific LSM policies in the future. > > > > > > The source file (if one exists) for the enclave is long gone when the enclave > > > is actually mmap()'d and mprotect()'d. To enforce noexec, the requested > > > permissions for a given page are snapshotted when the page is added to the > > > enclave, i.e. when the enclave is built. Enclave pages that will be executable > > > must originate from an a MAYEXEC VMA, e.g. the source page can't come from a > > > noexec file system. > > > > noexec check is done in __sgx_encl_add_page(), not in this callback. > > sgx_vma_mprotect() calls sgx_encl_may_map(), which iterates the > > addresses, checks that permissions are not surpassed and there are > > no holes. > > Yes, that's what I said. sgx_encl_add_page() will remove such page. The callback does not interact with this process as such pages never get to the enclave. > I would copy-paste the part of the response that was snipped... I do agree with the main conclusions but it contains also things that I do not see relating that much, like noexec partitions. It goes too far in detail what will LSM's end up doing. I absolutely do not want to forecast too far how LSM hooks would work. Since we do not have ioctl's for EMODPE and such, I see EMODPE as the only reason for doing this right now. Otherwise, we are in trouble with any possible LSM callbacks. For any sort of access control decision, things decided must stick. I would add something like this to the commit message largely based on your text: "SGX stores the permissions for each page when they are first added, and will implement this callback to check that mmap() or mprotect() does not surpass these permissions in the requested address range. This is done to prevent using EMODPE upgrading permissions of a page after mmap() or mprotect() has been done, which would prevent any sort of LSM callbacks to be implemented later on because the access control decision could deprecate." /Jarkko